Facebook users hit by hardcore porn, violence and animal abuse images

Explicit and violent images have flooded the newsfeeds of many Facebook users in the last 24 hours or so.

The content, which includes explicit hardcore porn images, photoshopped photos of celebrities such as Justin Bieber in sexual situations, pictures of extreme violence and even a photograph of an abused dog, have been distributed via the site - seemingly without the knowledge of users.

Some Facebook users vented their annoyance on Twitter, with some claiming they would deactivate their Facebook accounts as a result:

One commenter to Naked Security, rxladyblue, told us:

I just viewed a gay pornography pic that was on the news feed under her name. She could not see the pic but all of her friends could see it.

Another Facebook user, ralahinn1, said:

One of my friend's accounts was compromised and messages containing a video were sent. My daughter's boyfriend had something posted on his wall that he couldn't see on his computer, but my daughter could see on his wall from hers.

It isn't presently clear precisely how the offending content has been spread - whether users are falling for a clickjacking scheme, are being tagged in content without their knowledge, have poorly chosen privacy settings, have been tricked into installing malicious code, or have fallen victim to another vulnerability inside Facebook itself.

What's clear, however, is that mischief-makers are upsetting many Facebook users and making the social networking site far from a family-friendly place.

Reporters at Gawker have speculated that hackers associated with Anonymous may be responsible for the attack, but that is unconfirmed.

So, it seems highly offensive spam content has successfully spread via Facebook for 24 hours or more. It's precisely this kind of problem which is likely to drive people away from the site. Facebook needs to get a handle on this problem quickly, and prevent it from happening on such a scale again.

Of course, this incident raises another important question. Many firms may be comfortable allowing users to access sites such as Facebook, but what happens when hardcore pornographic and offensive content is being spread. Should companies block access to sites hosting offensive content?

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 140,000 people regularly share information on threats and discuss the latest security news.

Update: In September 2011, Naked Security published a story about a widespread warning that had been spread between Facebook users warning of pornographic movies appearing on Facebook users' walls - visible to the user's friends, but not to the user themselves. At the time we found no evidence of this occurring, and so considered the story likely to be a hoax. In light of the most recent incident described below, it seems sensible to retract that advice. We would like to apologise for any confusion or inconvenience caused - this issue has been very complicated to investigate, and we continue to look into it.

Update 2: Facebook has released a statement concerning the spread of this scam and a related browser vulnerability.

I keep telling my friends it's likely something through an app or a page that everyone's favourited. Being extremely paranoid, I never add applications (well, with 2 exceptions - Last.fm and some other one I can't recall) and rarely "like" anything that could post things to my newsfeed (i.e. anything other than official band/writer/book pages). Combined with the fact that I've seen none of the abovementioned content leads me to believe more strongly in my hypothesis - that it's not Facebook, but apps/pages.

Yep I agree. Friends have asked me to look into spam coming from them and when I look at the apps they accept it is obvious that it is the apps. Who has looked at my profile being the one I see the most. As soon as I remove the apps from there profiles all the spam stops. Amazing how simple it is to keep your feed clean. I'm not sure if liking a page can post to your feed though. I at least haven't seen it happen. Its always dirty apps that people allow to post to their feed that do the spamming that I have seen so far.

Yes, I would assume it's apps - I mean, obviously things could be posted to YOUR news feed if you had "liked" the said pages, but your friends would be unable to see such things on your wall/wherever.

I always thought Facebook apps to be a horribly insecure waste of time in the first place, and just never went for them. Pages, again, I may like if I'm 100% sure it's the official page for, say, Pink Floyd, Coldplay, etc. - while I acknowledge these, too, can be attacked/used to spread spam and malicious content, they're far more secure than giving all of your info to Zynga or its ilk.

I have noticed something recently....when I click on "like" for a YouTube video and then go back to FaceBook I don't see it in my news feed but if I click on my profile I see it there, so I am assuming that Facebook is assuming that since I shared it I already know it's there and don't need it to be shown to myself in my news feed....or maybe it is a bug. Do you know if the people affected by this were only looking at their news feed of if they actually clicked on their name and went to their profile and couldn't see it there as well?

We posted an article in September (that we linked to again yesterday from our Facebook page) advising that we had found no evidence to support the warnings.

It has now become clear that there is now an issue related to the warnings. Please accept our apologies for any inconvenience caused - we're trying to get to the bottom of this issue, just as many Facebook users are.

We linked to it again yesterday from the Sophos Facebook page, and have since updated it based on information and feedback we received from the community.

We're very sorry for any confusion and inconvenience caused. We try really hard at Sophos / Naked Security to get things right, and on this occasion we clearly dropped the ball.

There's still some mystery around what Facebook users have experienced. We are doing our best to investigate, but ultimately we probably need Facebook itself to share some details of what is occurring on their site.

"You posted it YESTERDAY!!!!!!!!!!!!!!!!"
Stop whining. You're acting like a child. They're giving you FREE advice, you take it or leave it. If it's not accurate, then it's your fault alone for not verifying it.

Oh shut up. You seem to have a hard time understand simple concepts like when a page is posted or linked to. If I post a link to an article written and posted a couple months ago, that does not change when it was originally posted.

I can imagine it is people like you who fall for the clickjacking and cross site scripting attacks as well.

My 10-year-old daughter has been bugging me for at least a year to let her have an FB account. This is the most important reason not to let her loose on FB yet; she's still quite an innocent young girl and I don't want that innocence broken in such a way. Facebook needs to shape up and prevent this type of thing.

Plus, you have to be at least 13 years of age BY LAW to have a Facebook. I've had my Facebook since I was 14(I'm 16 now), and I've seen my fair share of graphic scam/spam clickjackings(i.e video thumbnail showing graphic images) and whatnot.

Most of the spam itself is easy to remove, but the mental image could stay forever. Several of my friends aren't intelligent enough to know the risk of clickjacking scams and how graphic the spam is until it's already all over their friends' walls.

Say your daughter DID get a Facebook--One of her friends could've been curious about some sort of said video on another friend's wall, and is then allowing the pornographic, violent, gory, etc. image to be plastered all over their friends' wall--Including you daughter's.

If you ever DO decide to let her have a Facebook anytime soon, STRONGLY enforce the awareness of the dangers of allowing some apps to access your permission and to be careful as to what she clicks on friends' walls. Mostly, though, the best advice would be to at least wait 'til she's 13...
Facebook wasn't this bad when I joined... =/

Although children under 13 can give out private information, the conditions and restrictions are so onerous that it's just legally easier to forbid under 13. (Sites such as Disney's make the parents jump through the required hoops.)

The law to which he is referring is COPPA, the Children's Online Privacy Protection Act. Essentially a Web site cannot collect information on children under 13 without "verifiable parental consent."

Facebook, like many other sites, simply limit registration to those 13 and older, so that they don't have to obtain that consent. Even then, verification that someone is 13 or older is difficult if not impossible since anyone can lie when joining the site.

Glenn: Before you consider letting a 10-year old loose on FB, you better read the Facebook agreement paragraf 4.5, (wich you accept when clicking "agree"): You will not use Facebook if you are under 13... Maybe there´s a reason for that? :-)

Admirable glenn but if she is asking for it then she is hearing from her friends what is what on facebook you just have to tell her that somethings on there are not nice and to tell you if anything like that happens and hope that she uses the FB account to keep in touch with her friends

If you let her at 13, I would keep the password to myself (she should not know) and restrict use to a single computer/laptop without password stored (so mobile phones or other devices don't auto-remember the password) in an effort to make sure any facebook usage is done under parental supervision.

i think an apology is in order. I told my friends that they were perpetuating a hoax by warning everyone of this, because I had read on Sophos that it was just that... a hoax. You should not only retract that advice, you should apologize. You made a fool out of me.

We're sorry. We try to get things right most of the time, but occasionally we slip up.

When we posted (in our September article) that we believed the warnings were false that was because we had found no evidence that what was being described in the warning was taking place. It is only now, two months later, that evidence has come to light.

Please accept our apologies for any inconvenience - this has been a complicated issue to get to the bottom of. The problem has been compounded by the fact that many Facebook users appear to be unaffected by the problem. It is not yet clear why some Facebook users are seeing the unpleasant content and others are not.

M4P, I feel the same way.. I spent a lot of time online yesterday 'arguing' with someone about how they were perpetuating the 'hoax' ... I really go to bat for Sophos and recommend all my friends follow them,,, now come to find out they are not on top of things like the brag to be. :( Boy to I look stupid now... Sophos this is what you do all day long and you encourage people to 'follow' you because you are doing the leg work for us by researching all this. and come to find out your just posted an old article ... hmmm ... sign me
very disappointed and embarrassed :(

Get over it guys. I did the same and this is the first time in over 2 years where the information wasn't accurate. As Graham Cluley has stated, Sophos reposted an article from September as it appeared to be exactly the same situation.
Be embarrassed and be disappointed, but think of how many times Sophos has helped you and your FB friends also ask yourself if you have ever gotten anything wrong!
You people need to learn to accept an apology and then shutup and stop complaining. :D

Why don't you in future say "Sophos says..." and then you won't look like a fool having argued with your friend. Sophos are not infallible but they do a damn fine job here and don't have anything to apologise for really when they're only doing the best they can to warn people about these things (though Graham is nice enough to apologise anyway).

Furthermore, the article Sophos posted in September was clearly an opinion based on the evidence at hand at the time and could easily have been true without the additional evidence later that suggested otherwise.

I think some people are wrongly feeling far too entitled and ungrateful for the value for money (i.e. free) they are getting from this blog.

Thank you Graham. No need for an apology in my book but your dedication to high quality and service to your readers is much appreciated.

I have noticed it, the more fuss created over it the bigger the issue will become. That is the way facebook works. The more comments a post receives the more weight it will hold and surely facebook does not like the idea of introducing negativity into their model so you wont find a dislike link or button that could drive the posts weight down. Just refrain from your urge to comment with your distaste. Instead click that little [x] and forget what you just saw and if you really must comment about it then do not comment on the post but rather make your own status post expressing your distaste.

I have been seeing it for the past 3 days, I believe one of the ways it happened was people trying to watch a video that said 95% of people can not watch this, and the still showed a guy with a great big boil on the back of his neck, I started seeing that last week.

I agree John, I noticed on my facebook account there has been more than usual amount of links from other people to the type of videos what you just listed and unfortunately there has been numerous amounts of people clicking on these links too. Ive actually deleted a few people in the past due to them clicking/posting copious amounts of these kind of links, after warning them a few times what they are about.

Well you had better not trust what anyone else on the internet says then because it wasn't just Sophos reporting the message as a hoax. Furthermore, it is belligerently stupid of you to expect that anyone not in possession of a magical crystal ball to be right about everything 100% of the time. You are indeed a fool and the apology should be yours to make.

A hoax would imply that no one was seeing the photos and this just didn't happen. I have not seen sophos post anything to that extent. Sophos however is just a group of people like you or I so they are entirely capable of misunderstanding or even being wrong. As a matter of fact you yourself admit to blindly posting what they had to say yet you blame them for your actions? Maybe you also should start to investigate your sources before opening your mouth and inserting a foot.

Seriously.... your mad cause they ended up telling the truth even after they retracted and apologized for it being a hoax? He even stated in his retraction that they did not find enough evidence to support their claim, meaning he did the right thing by retracting his comment. I bet you are one of those people who sees it on the internet, automatically believes it to be the whole truth, doesn't recheck sources on their own, then runs out and tells their entire IT Dept, friends, family, twitter, world, etc......how "OMG this is fact!!" So if something doesn't happen the way you told everyone you look like a Jack*ss, well guess what you are!! Try researching, get the facts, and quotes from multiple sources together before you let your fingers run wild on the keyboard and embarrass yourself on the web.

It is partially FACEBOOK's fault, as they went and made changes to the layout, and have YET to update their Help files. Some of our old security settings are no longer available. My friend was infected and he did nothing more that comment for the Original poster to stop posting that sort of content. He had all of the Security settings at maximum protection, even blocking people from tagging him on photos without permission. Facebook has allowed this loophole to remain, even though they made changes to stop the click jacking virus scams..... Apparently, they let this vulnerability remain open.... This is NOT coming from an Application, it appears to come from a Mobile upload.

So far all the porn and dying animal photos I have seen are actually coming from typical profiles of people that have posted it to their own profile and then friends of mine have commented on it which sends it to my news feed. If it were not for my friends comments I would not have seen any of it. I am only guessing here but I figure this is a sign that it is actually an infection and I myself am just not infected. "yet anyway". I did notice that this started about 3 days ago and at that time I did notice an influx of those click to watch type videos. People really can't help themselves but to click that nonsense and then blame facebook and sophos because for their own actions. Likewise I do not do apps either. I have a very small handful of them installed and only ones that I actually use. I also frequently go through installed apps to make sure there are none that I don't recognize or that are no longer functioning properly.

I had this happen to me I went to a link to report this and caught a virus that crashed my computer I did warn my friends and then retracted it. Now here I sit without a computer no money to repair it.......

I stand by my continual warnings, asking folks to REPORT any sexually explicit and/or violent images and to warn others of exactly WHAT was seen, with any text that was on it, if possible. Vague warning serve no purpose whatsoever.

I know how it's being done and the guy who did it can do a LOT worse, he's actually using this method to make 50k+ a day. Graham, what's the best way to contact you? I even have the source code to this method

I still find it hard to believe that if a hacker gained access to my account, they would just post graphic images or videos. I would think they would want to use this access to my personal information to perform much more devious acts. I still believe that people are clicking on links and once they realize they have been duped, don't want to admit it, so they say their account must have been hacked.

"I still believe that people are clicking on links and once they realize they have been duped, don't want to admit it, so they say their account must have been hacked."
That is exactly what they mean when they say their accounts were hacked...

Its true! No one mentioned the "Hate Miley Cyrus" prompt and the past "Asian sluts" invasion that hacked into some folks pages...I have found Google + to be the new "civilized" and secure social network for thoughtfully serious and creative connections. There is no filter to block out the BS on FB and, in my opinion, it is an embarrassment to itself at this point in time.

I think it's interesting how many people are demanding an "apology" from Sophos. Grow up. They've clearly stated they made a mistake and they've apologized. Get over it. If you don't trust Sophos anymore, try to find some other website that is as successful as they are at helping root out lies and expose the truth. I doubt you'll find one. Sure- this is disappointing news and even embarrassing, but Facebook is the problem- not Sophos. Direct your anger towards Facebook.
Sophos- thanks for working on this. I appreciate it. I'll be watching for more updates concerning this recent development.

A friend of mine was a victim of this crap: the picture was Hardcore gay Porn, and it appeared to be uploaded from another user via "Mobile Upload". There was no application name associated with this image like there have been on other click jacking scams. One thing seems clear, its that He was infected when he commented on the pic for the user to remove the image and not share that type of content on his wall. I think for now, We should advise people NOT to CLICK or COMMENT these things and instead REPORT the Images to Facebook, and message the user in a new or seperate post or inbox message.

Your friend was not infected with anything. This is just the new way that Facebook works. If you comment on a popular post or picture (one with a lot of comments) it gets posted to all of your friends' (or at least those who "subscribe" to you) feeds.

You are correct in that the right thing to do is to NOT comment and instead report the image.

The "hackers" have infiltrated the contact lists of many of the facebook users and intern sends all these links to the person's contacts without the person being aware, then when the receiver opens the link supposedly from their friends or family, their contact list becomes infiltrated and sent to their contacts and so on and so on.
This happened to me, I thought my daughter sent me a link, it was her e-mail address, but the key "there was no subject in the subject line", when I opened the link enclosed , I found out by accident that all my contacts had received these links, I immediately changed my password of my e-mail and alerted my contacts as to what happened and to change their passwords also. This is a great problem and facebook should be held liable.

Everyone quit whining about their misinformation. The author has apologized numerous times. Sophos keeps you up to date on security threats and helps keep you aware. It made you aware. Hoax or not. Quit getting caught in technicalities and go clean up your facebook.

the last 10 days have been horrible on fbook. one day i will log on and theres some pornography there then the next day its graphic images of a muslim holocaust of kids being slaughtered like wow wtf !! how is fabook going to get it back to where it was ?

I don't understand why it is happening so much to some people, but yet I have not seen any of it and neither has anyone in my immediate family, or even siblings, neices, nephews etc. Only a handful of my facebook friends have had this problem. Is Facebook doing anything to investigate where this is coming from? I see lots of speculation flying around; any credible answers?

Graham. I've been looking into this for my sister and I noticed that in Chrome she had an extension called yontoo. She was getting loads of adverts all over facebook and they where appearing on people's walls but nobody else could see them. Yontoo (http://www.yontoo.com/) is a plug in which adds layers to web sites giving the appearance that the site is delivering the content. I disabled the addon and removed the app from add/remove programs and the layers disappeared. My guess is someone's used this with an exploit to deliver the images to people's facebook experience. That would explain why they think their friends have been hacked when their friends can't see any posts etc. Any thoughts? @SecBoyUK

I've had the lot (I think,) and in my case I'm just putting it down to tags. A lot of the photo's I was getting (none since I've being out of bed today though so hopefully it's stopped) were showing up as" "X" has tagged "Y" in a photo." I copped the lot when it came to that stream of crap too, hard core porn, anti abortion pics etc..

A rogue (or series of rogues) pages, is all I was putting it down to. I have a lot of people of my friends list and if even 1% of them had fallen for liking something - or whatever- Than that would have being enough. The page (or app or whatever) was, I suspect, being banned and then resubmitted. I was getting it in waves, 2 -3 when I logged on and then nothing for 2 hours, then suddenly another 2-3.

It's a little more than the standard click-jacking scams -I think- but if that signifies all that much or not only time will tell. (The anti-abortion stuff is what struck me as strange. That's not the type of stuff that most people would be tempted to click on.)

They also started trolling God's page. Posting nasty sexual pictures. At first I found it hilarious,now I think it's gotten out of hand. Porn has taken over many social websites. Tumblr is ass obessesed and now Fb has porn everywhere. Altho I find the Justin Beiber ones are hilarious.

The LVVM.EXE trojan is being pushed through Facebook now as well. We had a user click on her FB friends story, which resulted in LVVM.EXE and a number of other packages deploying. McAfee was disabled as well.

all these posts saying 'facebook should prevent this sort of thing' are totally failing to see the problem. facebook is a programmable app, and therfor should only be used by people that understand programming. allowing non programmers to use programmable apps such as facebook is like allowing an inexperienced child to drive a car - they may be ok for a while, but eventually they will come unstuck.

That's not really the problem. People who are exploiting Facebook are ones who know the programming API very well. They are building apps to take advantage of the open loopholes. It's Facebook users, not programmers who are inexperienced and being taken advantage of. Facebook is at fault for providing the interfaces for abusers to take advantage of and FB users are at fault for not being security concious and clicking dodgy links.

It could be something to do with the video of a gigantic boil on the back of a guy's neck that was being circulated, I got the link to it 4 times friom the same friend sent to my mailbox.

It asks you to click for security check r something like that. I didn't click it but lots of people did and it was being shared all over the place. The odd thing was, the links sent to my mailbox weren't all the same address although the thumbnail was exactly the same

Unsuspecting (and uneducated) users might paste JavaScript on their browser address bars as instructed, or allow such (unknown) apps on their account to do things (or mess up their things, putting spam, putting such lewd videos, explicit content, without the users knowledge.)

I think also that Facebook should reconsider their security measures, especially, on allowing apps on Facebook, and on dealing with such nasties.

On the users part: It it the responsibility of the user to know such security measures, and to use any instruments (Web browsers, for example) responsibly and legibly.

We also all have our part here. We also have the responsibility to educate and warn other people on how to deal with such nasties, on educating the users that have casual to no knowledge on about responsible use of Social Networking sites, in their browsers, and on maximizing security and securing their computer, and to keep malicious hackers and others at bay.

This is just the trap to force people to leave facebook, and just the rumours that the facebook founders are doing nothing about the security. The truth is that the facebook team is at high alert and is working on it day and night, the result will be soon with us in very few hours. And moreover, everyone knows that these're hackers doing this, and not the person himself, so no question of degrading image of someone in front of others. So, be bold my friends and say we won't leave facebook.

The problem with external censorship is that it NEVER includes adequate appeal provisions so that a site whose content is blocked wrongfully can appeal such blockage effectively. And the criteria usually end up boiling down to "don't do anything I won't like" ... a rather imprecise measure in the first place.

Any service that functions as an open forum should definitely include "safe spaces" of some sort, with clearly defined (ah, there's the rub) criteria and limits for content. But they should also recognize their general responsibility to provide forum for those who choose to exchange other content as well.

Okay, may I just say that the poll question is grossly flawed. Obscene content is in a completely different category from "hate sites." Not only are they fundamentally different (both in terms of content and the effect on professionalism and productivity in the workplace), but sites are also often labeled "hate sites" simply for being extremely politically incorrect or strongly opposed to a certain political viewpoint.

Honestly, this does not happen unless someone gave a third party rights to post as oneself. I see odd things from time to time, but I just hide that person from my feed. If someone says they don't know what they are talking about, that person is a liar.

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley